Privacy StandardsThe HIPAA Privacy Standards are intended to protect the privacy of all individually identifiable health information created or held by covered entities, regardless of whether it is or ever has been in electronic form. This includes paper records and oral communications. Covered entities (health plans, providers, clearinghouses) must maintain documentation of their policies and procedures for complying with the standards, and must include a statement of who has access to protected health information, how it is used within the covered entity, and when it would or would not be disclosed to other entities. Providers must obtain a patient's consent for the disclosure or use of the patient's health information, even for treatment, payment, and health care operations purposes. Covered entities must make a reasonable effort not to use or disclose more than the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure, except when the information is used for purposes of treatment. An individual has a right of access to his or her protected health information, to request amending or correcting it, and to receive an accounting of all disclosures. The privacy standards were published December 28, 2000 and the compliance date was April 14, 2003. The IHS developed and implemented the required HIPAA Privacy Standards policies, forms and training prior to the compliance date.
Final Rule published in the Federal Register on December 28, 2000
IHS Business Associate Agreement
IHS Privacy Documents
The following support documents for carrying out the HIPAA Privacy regulations were updated in September 2007: IHS Notice of Privacy Procedures, IHS HIPAA Compliance Forms and IHS HIPAA Policies and Procedures. They can be found on the Forms, Policies and Procedures page.
U.S. Department of Health and Human Services: Office for Civil Rights
This is the office charged with assisting covered health care organizations become compliant with the HIPAA Privacy Rule. OCR is also the office for enforcement of the Privacy Rule.